9/4/2018 6:45 PM Secure your Office 365 environment with best practices recommended for political campaigns Ethan Chumley Campaign Technology Advisor Civic Technology Services Mark Simos Lead Architect Enterprise Cybersecurity Group © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Torn from the headlines 9/4/2018 6:45 PM Torn from the headlines © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Campaign Technology Services 9/4/2018 6:45 PM Microsoft Campaign Technology Services © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/4/2018 6:45 PM Video © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Campaign Technology Challenges 9/4/2018 6:45 PM Campaign Technology Challenges privacy scalability security byod © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

But also works with hybrid 9/4/2018 6:45 PM Technical solution Modern and secure collaboration Secure email Secure collaboration & protected files Identity management Secure access to all cloud services B2B account management Device access BYOD and managed devices Mobile application management Secure analytics environment Cloud-based solution But also works with hybrid Uses E5 plans © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download all the details 9/4/2018 6:45 PM Download all the details Microsoft Security Guidance for Political Campaigns Test lab guides aka.ms/SecureCampaign © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Licensing Security focus drives recommendation for E5 plans 9/4/2018 6:45 PM Licensing Security focus drives recommendation for E5 plans Office 365 E5 Enterprise Mobility + Security (EMS) E5 Azure Active Directory P2 for B2B accounts Advanced Threat Protection for email drives the recommendation for E5 for all users with a mailbox. Advanced Data Governance capabilities are used to automate protection for data loss prevention. Risk-based conditional access and Cloud App Security drive the recommendation for EMS E5. Included with EMS E5. Risk-based conditional access can be used with B2B accounts. Every Azure AD paid license includes rights to 5 B2B collaboration users (5:1 model). Compare all Enterprise Mobility + Security Plans Compare all Office 365 for Business Plans © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Design Process Identity planning SharePoint site & file protection Tenant setup Identity & device access management Mail protection

9/4/2018 6:45 PM 1. Security planning starts with identity Identity is the new security perimeter © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Plan for users, accounts, and Azure AD groups 9/4/2018 6:45 PM Plan for users, accounts, and Azure AD groups 1. Categorize your users 2. Decide what type of accounts to use 3. Plan for Azure AD groups Group-based licensing Dynamic groups Protecting access by group assignment with MFA and conditional access Provision SharePoint sites Manage permissions with RMS templates for classified files See topic 4: Identity and capability planning (aka.ms/SecureCampaign) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Map capabilities by account types 9/4/2018 6:45 PM Map capabilities by account types Key decision: Which users need to be in your tenant? Do B2B capabilities provide enough access and protection for partners? Which users don’t require any account management? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Example environment Pare down to the services you need 9/4/2018 6:45 PM Example environment Pare down to the services you need Adjust account types and license plans for the desired coverage © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 & 3: Tenant setup for secure environments 9/4/2018 6:45 PM 2 & 3: Tenant setup for secure environments © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Tenant-wide setup for secure environments 9/4/2018 6:45 PM Tenant-wide setup for secure environments Tune threat management policies in Office 365 Security & Compliance Center Configure Exchange and SharePoint tenant-wide settings Azure AD settings Anti-Malware Engine Mail flow Transport rules Named locations Trusted IP address ranges ATP Safe Attachments Enable modern-auth Exchange and Skype for Business Block non-modern auth apps (coming soon) ATP Safe links Anti-Spam Mail filtering SharePoint External sharing policies See topic 6: Tenant setup and configuration (aka.ms/SecureCampaign) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Startup Cloud App Security 9/4/2018 6:45 PM Startup Cloud App Security Also view the dashboards and reports in the Security and Compliance Center © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. Identity and device access and management 9/4/2018 6:45 PM 4. Identity and device access and management © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Key decisions B2B accounts Managing devices Windows 10 9/4/2018 6:45 PM Key decisions B2B accounts For B2B users that have access to sensitive data, consider licensing with EMS E5 and using Mobile Application Management (MAM) capabilities. Managing devices Choose whether to enroll devices into Intune for management. Windows 10 Includes compelling security capabilities that make this a recommendation for organizations with a high threat profile. See topic 7: Device protection (aka.ms/SecureCampaign) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/4/2018 6:45 PM Example starting-point plan © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Access rules and policies 9/4/2018 6:45 PM Access rules and policies See topic 8: Conditional access rules (aka.ms/SecureCampaign) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5. SharePoint site and file protection 9/4/2018 6:45 PM 5. SharePoint site and file protection © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

SharePoint team site & file protection 9/4/2018 6:45 PM SharePoint team site & file protection Baseline protection Sensitive protection Highly confidential Internal Public Private Sensitive Highly Confidential Public site and group. Private site and group. Sharing allowed outside the group. Private site and group. Sharing limited to members. Private isolated site. Sharing limited to members. Other users cannot request access. DLP rule Warn users when sending files outside the organization DLP rule Block users from sending files outside the organization Create Office 365 labels and automatically label files in document libraries Configure DLP rules to protect sensitive and highly confidential files Use AIP to permission and encrypt files See topic 10: SharePoint Online (aka.ms/SecureCampaign) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download the guidance & build your own test lab environment 9/4/2018 6:45 PM Download the guidance & build your own test lab environment Microsoft Security Guidance for Political Campaigns Test lab guides aka.ms/SecureCampaign © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/4/2018 6:45 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.